As we recurrently observe on this weblog, ransomware is dishonest and endlessly creative. It’s this capacity to seek out new variations on the identical primary extortion template that has made it probably the most profitable business type of cybercrime but invented.
Excepting the occasional technical hack (together with a expertise for recognizing weaknesses everybody else has ignored), most of this innovation derives from a combination of latest social engineering ruses, intelligent advertising and enterprise operations.
In 2023 we noticed the emergence of the twin ransomware assaults whereby victims discover themselves combating a couple of ransomware assault on the identical time. At first it was assumed this was coincidence, however it’s also doubtless that a few of these assaults had been engineered that approach to enhance chaos and confusion.
Since then, experiences have emerged of what a unique model of the identical concept, so referred to as ‘follow-on’ or “re-extortion” assaults, two examples of which from October and November 2023 had been just lately documented by safety firm Arctic Wolf.
Within the first, a sufferer of the Royal ransomware was contacted by a bunch calling itself the Moral Facet Group (ESG), claiming to have the flexibility to entry knowledge stolen through the authentic assault. The provide: ESG would hack into Royal’s infrastructure and delete the info in return for a price.
Within the second incident, a bunch calling itself anonymoux contacted a sufferer of the Akira ransomware group, making the identical slightly daring declare: pay us and we’ll make sure that your stolen knowledge is wiped.
Arctic Wolf notes quite a lot of odd similarities between the incidents. Each claimed to be legit researchers, each provided an equivalent service, and there have been quite a few phrases in widespread between the 2 when it comes to their communication.
The corporate concludes:
“Primarily based on the widespread components recognized between the instances documented right here, we conclude with reasonable confidence {that a} widespread risk actor has tried to extort organizations who had been beforehand victims of Royal and Akira ransomware assaults with follow-on efforts.”
Two factors emerge from this, the primary of which is that ransomware teams (or an affiliate related to them) are opportunistically attempting to re-extort the identical victims, albeit by asking for smaller sums.
Second, even when the gives are unconnected with the group, counting on them to make good their promise to delete knowledge is a idiot’s recreation, assuming such a factor is even doable as soon as knowledge has been posted to who is aware of the place.
Arctic Wolf doesn’t say whether or not both of the incidents resulted in fee however let’s be optimistic and assume that the very fact they’re telling us about it means the sufferer was suspicious sufficient to not fall for the ploy.
Ransomware historical past means that re-extortion will in all probability develop in reputation throughout 2024 from a really low base. It’s unlikely to turn out to be a significant tactic however that doesn’t imply it gained’t turn out to be one more chance defenders should look out for.